OpenClaw Privilege Escalation Vulnerability via Internal Command Authorization

A privilege escalation vulnerability has been identified in OpenClaw versions prior to 2026.3.24. The issue arises because the `/allowlist` command does not properly re-validate gateway client scopes for internal callers. This oversight allows clients with `operator.write` scope to alter channel authorization policies. Exploitation can be achieved by using the `chat.send` command to create an internal context that bypasses normal scope restrictions, enabling unauthorized changes to channel allowlists that are meant to be restricted to `operator.admin` clients.

Impact

Clients with `operator.write` scope can make unauthorized changes to channel authorization policies, specifically the `allowFrom` and `groupAllowFrom` settings. This exploitation undermines the intended privilege separation between write actions and admin-only authorization modifications.

Reproduction

To reproduce this vulnerability, a gateway client must authenticate with `operator.write` scope. Once authenticated, the client can use the `chat.send` command, which is allowed for that scope. This action creates an internal context that includes command authorization and gateway client scopes. The client can then call the `/allowlist` command to add or remove entries, effectively changing the channel authorization policy without the required admin privileges.

Remediation

Users should update to OpenClaw version 2026.3.24 or later, where this vulnerability has been patched.